chore(ci): Establish quality gate and strengthen pre-commit hook

2026-04-22 02:07:55 +00:00 · 2025-11-19 18:35:11 +03:00
parent 51028e6344
commit 49cdcb523c
2 changed files with 98 additions and 0 deletions
@@ -0,0 +1,89 @@
+name: Quality Gate
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  workflow_dispatch:
+
+jobs:
+  # ========================================
+  # BUILD, LINT & TEST (CRITICAL)
+  # ========================================
+  quality-gate:
+    name: Build, Lint & Test
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Cache npm dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install dependencies
+        # Use workspace root package-lock.json
+        run: npm ci
+
+      - name: Run Linter
+        # Use web workspace for linting
+        run: npm run lint -w web
+
+      - name: Run Tests
+        # Use web workspace for testing
+        run: npm run test -w web -- --run
+
+      - name: Build Project
+        # Use web workspace for building
+        run: npm run build -w web
+
+  # ========================================
+  # SECURITY CHECKS (INFORMATIVE)
+  # ========================================
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    needs: quality-gate
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Cache npm dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+            
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run npm audit
+        continue-on-error: true
+        run: npm audit --audit-level=high
+
+      - name: TruffleHog Secret Scan
+        continue-on-error: true
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD